Menu
I have an S3 bucket that acts as a static website and I am using API Gateway to distribute traffic to it. I understand CloudFront is a better option here, but please do not suggest it. It is not an option, due to reasons I won't go into.
I am accomplishing my solution by configuring a {proxy+} resource. Image below:
I would like to only allow access to the S3 website from the API Gateway proxy resource. Is there a way I can provide an execution role to the proxy resource, similarly to how you can provide an execution role to a resource to runs a lambda function? Lambda execution role example below:
The integration request portion of the proxy resource doesn't seem to have an execution role:
Or is there a way I can assign a role to the entire API Gateway to provide it the right to access the S3 bucket?
Other things I have tried:
Editing the bucket policy to only allow traffic from the API gateway service:
{ "Version": "2012-10-17", "Id": "apiGatewayOnly", "Statement": [ { "Sid": "apiGW", "Effect": "Allow", "Principal": { "Service": ["api-gateway-amazonaws.com"] }, "Action": "s3:GetObject", "Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/*" } ] }
Editing the bucket policy to only allow traffic from API Gateway's URL:
{ "Version": "2012-10-17", "Id": "http referer policy example", "Statement": [ { "Sid": "Allow get requests originating from www.example.com and example.com.", "Effect": "Allow", "Principal": "", "Action": "s3:GetObject", "Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/", "Condition": { "StringLike": { "aws:Referer": [ "https://xxxxxxx.execute-api.us-east-2.amazonaws.com/prod/", "http://xxxxxxxx.execute-api.us-east-2.amazonaws.com/prod" ] } } } ] }
909
apigateway.amazonaws.com
Refer to docs for more details.
107
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
